FIX: require re-activation if SSO changes email and updates it

app/models/discourse_single_sign_on.rb

@@ -166,6 +166,7 @@ class DiscourseSingleSignOn < SingleSignOn
   def change_external_attributes_and_override(sso_record, user)
     if SiteSetting.sso_overrides_email && user.email != email
       user.email = email
+      user.active = false if require_activation
     end
 
     if SiteSetting.sso_overrides_username && user.username != username && username.present?

spec/models/discourse_single_sign_on_spec.rb

@@ -253,6 +253,28 @@ describe DiscourseSingleSignOn do
       expect(user.active).to eq(false)
     end
 
+    it 'deactivates accounts that have updated email address' do
+
+      SiteSetting.sso_overrides_email = true
+      sso.require_activation = true
+
+      user = sso.lookup_or_create_user(ip_address)
+      expect(user.active).to eq(false)
+
+      old_email = user.email
+
+      user.update_columns(active: true)
+      user = sso.lookup_or_create_user(ip_address)
+      expect(user.active).to eq(true)
+
+      user.update_columns(email: 'xXx@themovie.com')
+
+      user = sso.lookup_or_create_user(ip_address)
+      expect(user.email).to eq(old_email)
+      expect(user.active).to eq(false)
+
+    end
+
   end
 
   context 'welcome emails' do
@@ -267,13 +289,13 @@ describe DiscourseSingleSignOn do
 
     it "sends a welcome email by default" do
       User.any_instance.expects(:enqueue_welcome_message).once
-      user = sso.lookup_or_create_user(ip_address)
+      _user = sso.lookup_or_create_user(ip_address)
     end
 
     it "suppresses the welcome email when asked to" do
       User.any_instance.expects(:enqueue_welcome_message).never
       sso.suppress_welcome_message = true
-      user = sso.lookup_or_create_user(ip_address)
+      _user = sso.lookup_or_create_user(ip_address)
     end
   end